omonte7 wrote:
> Chuck Swiger-2 wrote:
>>
>> On Sep 29, 2010, at 9:42 AM, omonte7 wrote:
>>> Yeah, I saw that in the man page but unfortunately I'm not using a
>>> proxy. I can't connect on port 80 through the firewall so I'm
>>> restricted to any other port. Thanks.
>>
>> If you need HTTP access to download ClamAV security updates,
>> presumably the firewall admin will be willing to let such traffic
>> through, assuming that you are supposed to be doing whatever it is
>> you are doing with ClamAV.
>>
>> Failing that, set up a script which uses rsync+ssh to copy the ClamAV
>> database definitions from a machine which does have working access,
>> and then invoke freshclam to notify clamd about any chances. Of
>> course, you'll need to have a machine available which can update
>> ClamAV normally.
>>
>> Regards,
>> --
>> -Chuck
>>
[snip]
>>
>
> I have internal (on the other side of the firewall) local mirrors
> which
> update definitions daily. All my "clients" use freshclam to update
> from
> these servers successfully, my problem is a few servers are in a DMZ
> (behind
> the firewall) and the firewall admins won't allow me to use HTTP on
> port 80,
> I have to use HTTP on another port to update from my (interal) local
> mirrors. So, it sounds like freshclam won't allow me to specify
> which http
> port to use (except for proxy which I'm not using). So, I'll stick
> with
> wget/curl the updates (which I can specify a port), instead of
> rsync+ssh,
> and then use sigtool to verify the definitions before telling clamd
> about
> them.
>
> Thanks everyone.
Have you asked your firewall admins to add a couple simple firewall rules to
handle this for you?
if source is your DMZ servers and destination is your Sig Mirrors
and dest port is 80
DNAT to Miiror(s):OtherPort
I cannot understand why they would be concerned about that because they have
complete control as to the source, destination and port. Should be pretty
simple. As far as that goes if you have control of the firewall on the DMZ
servers it can be done right there on that server (assuming linux/iptables)
in a nat PREROUTING line.
assuming your mirror1 is 10.10.10.10 and your internal interface is
eth0
IPTABLES -t nat -I PREROUTING -d 10.10.10.10 -i eth0 -p tcp -m tcp
--dport 80 \
-j DNAT --to-destination 10.10.10.10:OtherPort
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
